Privacy Policy

1. Information We Collect

We collect information you provide directly to us, as well as information generated through your use of the Service.

Information You Provide

• Account Information: Name and email address when you create an account. You may also optionally provide a bio, location, website URL, and social profile links (GitHub, Twitter, LinkedIn).
• Organization Information: Enterprise names, team names, and member roles
• Customer Data: Infrastructure code, configurations, diagrams, documents, workflows, rulesets, and other content you create, upload, or store in the Service
• Agent Conversations:Messages you send to the AI agent, including the agent's responses, tool usage, and associated token consumption
• Secrets: API keys, credentials, and other sensitive values you store in the platform. Secrets are encrypted using envelope encryption and are never exposed in plaintext after creation.
• Payment Information: Billing details processed securely through Stripe. We do not store payment card numbers directly.
• User Preferences:Agent interaction preferences such as experience level and working style, which are used to personalize the AI agent's behavior
• Communications: Information you provide when you contact us for support or feedback

Information Collected Automatically

• Usage Data: Information about how you interact with the Service, including features used, pages visited, and actions taken
• Session Recordings: We use LogRocket to record user sessions in production, including clicks, navigation, console errors, and network activity. This helps us diagnose issues and improve the user experience. Session recordings are associated with your name, email, and account creation date.
• Device and Browser Information: IP address, browser type, operating system, and device identifiers
• Log Data: Server logs, error reports, and performance data

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service
• Process transactions and manage your subscription and credit usage
• Power AI agent features, including code generation, compliance evaluation, infrastructure design, and diagram creation
• Store and provide your agent conversation history so you can continue prior sessions
• Evaluate your infrastructure code against compliance rulesets and generate compliance assessments
• Send technical notices, security alerts, and support messages
• Respond to your comments, questions, and support requests
• Record and analyze user sessions to diagnose issues and improve the experience
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with legal obligations

3. AI-Powered Features and Data Processing

The Service is built around an AI agent that processes your Customer Data to provide its core functionality. When you interact with the agent, the following data may be sent to an AI model provider for processing: your messages, workspace code and files, compliance rulesets, workflow definitions, and your agent preferences.

We do not use your Customer Data to train AI models, and we never sell your data to third parties. Your data is only processed for the minimum time required to perform the operations necessary to deliver the Service.

Platform-Provided Models

If you use the AI models provided by Infracodebase, your data is sent to our AI provider (Anthropic) for processing. Anthropic processes your data solely to provide the requested functionality and does not use your data to train their models.

Bring Your Own Model (Enterprise)

Enterprise customers may connect their own AI model providers and API keys to the platform. When you bring your own model, your data is sent directly to your chosen model provider using your own API keys and is subject to your agreement with that provider. Infracodebase does not process or store your data through our AI providers in this configuration.

4. Information Sharing and Third-Party Service Providers

We do not sell, trade, or rent your personal information to third parties. We share information only in the following circumstances:

Service Providers

We work with trusted third-party service providers who process data on our behalf to operate the Service. These providers are contractually obligated to protect your data and use it only for the purposes we specify:

• Microsoft Azure: Cloud infrastructure hosting, data storage, and platform services
• Clerk: User authentication and account management
• Stripe: Payment processing and subscription management
• Anthropic: AI model provider for platform-provided agent features
• GitHub: Source code hosting and CI/CD pipelines for the Service itself. If you connect your GitHub account, we store an OAuth token and installation metadata to enable repository access and git operations within your workspaces.
• LogRocket: Session recording and diagnostics in production
• Resend: Transactional email delivery (e.g., enterprise invitations)

Other Disclosures

• Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request
• Protection of Rights: To protect the rights, property, or safety of Infracodebase Inc., our users, or the public
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your information may be transferred as part of that transaction

5. Public Content and Workspace Visibility

The Service allows you to control the visibility of your workspaces and content:

• Private: Accessible only to you and workspace members you explicitly invite
• Internal: Accessible to members of your enterprise organization
• Public: Accessible to anyone on the internet without authentication. Public workspaces may appear in our template gallery and search results.

You may also publish workflows to our public registry. Content you make public is visible to anyone and may be forked or used by other users. You are responsible for ensuring that public content does not contain sensitive information, secrets, or proprietary data.

6. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS and data at rest using AES-256
• Envelope encryption for stored secrets, with unique encryption keys per secret and tamper-detection audit logging
• Multi-factor authentication and role-based access controls
• Regular security assessments and vulnerability scanning
• Network isolation and web application firewall protections

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

• Customer Data: Retained for the duration of your active account. Deleted within thirty (30) days of account termination or your written deletion request. This includes workspace code, files, diagrams, agent conversations, compliance results, workflows, rulesets, and encrypted secrets.
• Account Information: Retained for the duration of your active account and deleted within thirty (30) days of account termination.
• Payment Information: Managed by Stripe in accordance with their retention policies and applicable financial regulations.
• Log Data: Retained for up to ninety (90) days for operational and security purposes.

You are responsible for exporting any data you wish to retain prior to account termination.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Objection: Object to the processing of your personal information in certain circumstances
• Data Portability: Request a copy of your data in a structured, commonly used format
• Withdraw Consent: Where processing is based on consent, withdraw your consent at any time

To exercise any of these rights, please contact us at the address below. We will respond to your request within thirty (30) days.

9. U.S. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, or another U.S. state with applicable privacy legislation, you may have additional rights, including:

• The right to know what personal information we collect, use, and disclose about you
• The right to request deletion of your personal information
• The right to opt out of the sale or sharing of your personal information
• The right to non-discrimination for exercising your privacy rights

We do not sell your personal information. To submit a privacy request, please contact us using the information below. We may need to verify your identity before fulfilling your request.

10. International Data Transfers

Infracodebase processes and stores data in the United States (Microsoft Azure) by default. Your information may be accessed from other countries where Infracodebase or its service providers operate in order to provide, maintain, and support the Service.

Where required by applicable data protection law, we rely on appropriate legal mechanisms to support the transfer of personal data, including Standard Contractual Clauses (SCCs) and data processing agreements with our service providers.

Enterprise customers with data residency requirements may contact us to discuss regional hosting options.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service and improve your experience:

• Essential Cookies: Required for the Service to function, including authentication and session management (provided by Clerk)
• Session Recording: LogRocket records user sessions in production to help us diagnose issues and improve the experience. These recordings capture your interactions with the Service and are associated with your account.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

12. Security Breach Notification

In the event of a security breach that affects your personal information, we will notify affected users in accordance with applicable law. We will provide information about the nature of the breach, the types of information involved, and the steps we are taking to address it.

13. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our handling of your information, please contact us at: